Re: zd1211 3.0.0.56 "vendor driver" - please help port to zd1211rw

Hin-Tak Leung <hintak.leung@xxxxxxxxx> · Mon, 25 May 2009 12:14:15 +0100

On Mon, May 25, 2009 at 8:08 AM, Hin-Tak Leung <hintak.leung@xxxxxxxxx> wrote:
For 32-bit, it seems to work alright, except for one oop
> in AP mode when a client connects so far (out of a few connects).

I think I found the reason of oops - it is a regression newly
introduced in 3.0.0.56, actually...
Diff below, which probably has some white space problems from
cut-and-paste, but should be obvious...

------------------------------------------------------
>From 7a12176808ba628b80aeadc44bc27a042735387a Mon Sep 17 00:00:00 2001
From: Hin-Tak Leung <HinTak.Leung@xxxxxxxxx>
Date: Mon, 25 May 2009 11:43:32 +0100
Subject: [PATCH] fix NULL pointer deference in newly-introduced in 3.0.0.56

Tchal_WaitChalRsp()  AsocTimeOut() can be called with arg=NULL
from zd_SendTChalMsg() and zd_SendTAsocMsg() respectively. New to 3.0.0.56
is code to clear frame description, which does not check for NULL input.
Tchal_WaitChalRsp() oops is observed in AP mode when a client tries to connect.
---
 ar2524drv/src/zdasocsvc.c |    3 +++
 ar2524drv/src/zdauthrsp.c |    3 +++
 2 files changed, 6 insertions(+), 0 deletions(-)

diff --git a/ar2524drv/src/zdasocsvc.c b/ar2524drv/src/zdasocsvc.c
index 90bba79..780a950 100644
--- a/ar2524drv/src/zdasocsvc.c
+++ b/ar2524drv/src/zdasocsvc.c
@@ -659,6 +659,8 @@ BOOLEAN AsocTimeOut(Signal_t *signal)
 	}
 	
 	mRequestFlag |= CONNECT_TOUT_SET;
+  if(signal != NULL)
+  {
     if(signal->frmInfo.frmDesc != NULL)
     {
         freeFdesc(signal->frmInfo.frmDesc);
@@ -666,6 +668,7 @@ BOOLEAN AsocTimeOut(Signal_t *signal)
     }
     pdot11Obj->ReleaseBuffer(signal->buf);
     freeSignal(signal);
+  }
 	return FALSE;
 }

diff --git a/ar2524drv/src/zdauthrsp.c b/ar2524drv/src/zdauthrsp.c
index 081b9bb..27c2bb9 100644
--- a/ar2524drv/src/zdauthrsp.c
+++ b/ar2524drv/src/zdauthrsp.c
@@ -198,6 +198,8 @@ BOOLEAN Tchal_WaitChalRsp(Signal_t *signal)
 		UpdateStaStatus(&Sta, STATION_STATE_NOT_AUTH, vapId);
 		AuthRspState = STE_AUTH_RSP_IDLE;
 	}
+  if(signal != NULL)
+  {
     if(signal->frmInfo.frmDesc != NULL)
     {
         freeFdesc(signal->frmInfo.frmDesc);
@@ -205,6 +207,7 @@ BOOLEAN Tchal_WaitChalRsp(Signal_t *signal)
     }
     pdot11Obj->ReleaseBuffer(signal->buf);
     freeSignal(signal);
+  }
 	return FALSE;
 }

-- 
1.6.0.6

---------------------------------------------------------
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




